Mobile Threat Blog

Share

Mythbusters: Malware Protection is Mobile App Protection

If you’re one of the many IT security pros who believes that by protecting against malware, you’re protecting your enterprise from all mobile app risks – then you’ve got a security problem that needs attention. Fast. Read on to see how we prove this mobile security myth wrong with a comparison of malware vs. non-malicious app risks and a checklist for full mobile app protection via Mobile Threat Defense solutions.

Malware-only Focus = false security

No doubt, malware is a high profile mobile threat. It’s widely understood and is well reported in the news, leading many corporate security teams to think malware detection is the top mobile security concern.

Apple and Google are heavily invested in finding and eliminating malware before it reaches their official app stores where it can damage their reputations and businesses. Nonetheless, some malicious apps still get past app store screening processes and require detection and remediation for which there are a number of security solutions.

But, focusing on malware protection alone creates a false sense of security that addressing malware has protected against all of an enterprise’s app security issues. The reality is that malware security is just that – protection against malware. Malware is just the visible tip of the iceberg atop a vast and growing array of mobile app threats that pose significant and costly data exposure, data exfiltration, privacy and compliance risks. These threats eclipse the risk from malware in number, scale, cost and risk to your enterprise. That’s why, if you’re only protecting against malware, you’ve got a security problem that is leaving your enterprise exposed.

Malware vs. Other Mobile App Risks

Let’s start with assessing the overall malware risk relative to other mobile app risks using the three main criteria for evaluating and prioritizing mobile threats: frequency, degree of difficulty, and scale of impact.

Frequency: occurrence of malware in enterprise devicesApple and Google invest significantly in keeping malware out of their official app stores as a means of protecting both their customers and their revenue. If you require devices in your enterprise to only download apps from the official app stores, you’re already minimizing the risk of malware. Only about 0.5% of enterprise devices that stick to apps from official app stores become impacted by malware. Contrast that with the occurrence of non-malware app risks, like data exfiltration, software-based vulnerabilities, and unauthorized access to cloud storage, which are not identified by app stores (see our myth on how app store vetting is not enterprise grade), and we see that over 50% of mobile apps have non-malware risks. With an average of 30 apps per device, that means there could be 15 risky apps on every device in your enterprise.Assessment: Non-malware app risks are significantly more prevalent than malware.

Difficulty: effort required to deploy malicious appsIt takes a lot of work to develop a malware app and successfully sneak it into circulation. Bad actors need to create the app, insert malware, get it past the Apple or Google app screening process, and then trick users into downloading and installing the app in order to succeed with a malware attack. On the other hand, many non-malicious mobile app risks that threaten enterprise data are posed by vulnerabilities unintentionally coded into mobile apps – taking virtually zero effort and often even happening by accident. For example, it’s not uncommon to find apps where developers accidently hardcode their credentials or leave a back-end data store unsecured, creating a path for unauthorized access to large amounts of your sensitive enterprise data.This was the case in our discovery of the Eavesdropper vulnerability in which poor coding practices exposed sales, medical and other confidential discussion data from millions of texts and calls and gave credentials access to over 2,000 Amazon S3 accounts and nearly 22,000 live data storage buckets. Assessment: it takes significantly less effort to introduce non-malware app risks.

Impact: volume of users and data compromised It’s also important to consider the blast radius of a malicious attack – how many users and how much data is compromised? Malware attacks one user and one set of data at a time, creating a relatively small blast radius. In order to gain access to massive amounts of sensitive data, malware needs to be extremely widespread. On the other hand, app level or app back-end level vulnerabilities have a massive blast radius, capable of exposing the sensitive data of millions of users, and even whole companies, in a single breach. This was the case with the Hospital Gown vulnerability where unsecured back-end servers were exposing large amounts of enterprise data through a mobile app vulnerability. In all, 21,000 servers with 43TB of data – some of it ransomed was accessible in a single step through a mobile app vulnerability that had nothing to do with malware and wasn’t screened for by app stores. Because detection of these kinds of vulnerabilities requires sophisticated, deep analysis, they are harder to identify than malware and often go undiscovered for years, ultimately increasing the size and cost of a resulting data breach.Assessment: non-malware app risks have a higher blast radius than malware.

Given this comparison of malware to other app risks, it’s clear that malware protection alone doesn’t provide complete protection against mobile app threats. For enterprise grade protection, you need a Mobile Threat Defense (MTD) solution that can look beyond malware to detect and manage the many more significant risks posed by non-malicious mobile app vulnerabilities.

MTD checklist for mobile app protection

When evaluating MTD solutions to protect against mobile app threats, keep in mind that, while they all offer “app security”,not all app security approaches are created equal. You’ll want to carefully assess capabilities in these areas: .

Malware detection vs. malware lookup – Make sure that the MTD solution you deploy is capable of detecting malware based on behavioral rules and real app analysis and that the vendor does its own mobile malware research. This will ensure that protection continuously evolves as new threats emerge. Many solutions on the market simply compare apps against commercial databases of known malware, like VirusTotal. This not only limits detection capabilities to known malware threats, but also completely misses malware which has been repackaged (via hash changes) or new malware families that could be detected by app behavioral analysis.

Deep mobile app analysis – To comprehensively identify mobile app vulnerabilities, your MTD solution must analyze apps with deep testing that involves static analysis (looking at the app code), dynamic app testing (testing the app in a highly instrumented and monitored sandbox to see how the app behaves), back end analysis (monitoring app traffic to see what data is transferred, how its protected, and where its going) as well as checking the security of each back end that the app communicates with. Further, the analysis should be looking for a range of security concerns like poor encryption, malware behaviors, data exposure vulnerabilities in the code and other risks to regulatory and security policy compliance.

Continuous app analysis – be sure that your MTD solution can analyze mobile apps across every single version, on every single device your enterprise environment on a continuous basis. Many MTD solutions that do app analysis do so in an ad-hoc, on-demand basis for a few customer submitted apps, and this simply isn’t enough to protect your enterprise data and employee privacy. Apps are updated frequently and updates sometimes correct security issues but often also introduce new risks. Multiple versions of any given app may be present in your environment so only looking at one version doesn’t give a true picture of your app risk.

Is malware protection equivalent to mobile app protection? Not even close. Without scanning the mobile apps in your enterprise for all app mobile risks, you can’t possibly know which apps pose a risk and which are safe for your employee use.